CVE-2022-38150 — Uncontrolled Resource Consumption in Cache Project Varnish Cache

CWE-400 — Uncontrolled Resource Consumption CWE-20 — Improper Input Validation6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 28.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Varnish-cache Varnish Fedoraproject Fedora Varnish Cache Project Varnish Cache

Timeline

PublishedAug 11

Latest updateAug 12

Description

In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Debianvarnish-cache/varnish< 7.1.1-1+2

▶NVDvarnish_cache_project/varnish_cache4 versions+3

Also affects: Fedora 35, 36

🔴Vulnerability Details

GHSA

GHSA-jg6x-rh3w-6pp3: In Varnish Cache 7↗2022-08-12

▶

OSV

CVE-2022-38150: In Varnish Cache 7↗2022-08-11

▶

CVEList

CVE-2022-38150: In Varnish Cache 7↗2022-08-11

▶

📋Vendor Advisories

Red Hat

varnish: denial of service via colon-starting reason phrase↗2022-08-09

▶

Debian

CVE-2022-38150: varnish - In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Var...↗2022

▶